As for accepting the PR - I'll need to speak about it with the team and we'll review to see if we believe it is good practice to bake in security workarounds/relaxations into an official client for AC.

If we choose not to, I would suggest that we re-architect this change to allow overriding the retrieval of the JWT token or token expiry which would allow you to have custom handlers without worrying about a fork of the lib.